Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

I attended an interesting presentation at the EnergySec Pacific Rim summit discussing the role of machine learning and artificial intelligence (ML/AI) in network security and ICS operations. The talk was mostly an overview of potential applications and niches for ML/AI within these spaces, which in itself is refreshing as ML/AI is frequently touted as a dramatic, overall solution for numerous security problems as opposed to just another tool in the information security toolbox. More importantly, Read more…

A common statement heard in information security circles these days is “the perimeter is dead.” The concept behind the statement is simple and seemingly obvious. Historically, security professionals only dealt with two networks: the “home” network (which was managed, safe, and trusted) and the “outside” or “external” network (regarded as risky, if not outright dangerous, and uncontrolled). Separating these two was the “perimeter” – the classic example of a firewall governing what traffic is permitted Read more…

The concept of praise and blame – or moral responsibility more generally – is a central concept in ethics that features many responses. Of note in evaluating various approaches to the problem is the concept of human fallibility in the face of ethical decision-making. For Aristotle, humanity is intrinsically flawed due to the experience of emotion and feeling, resulting in a “weakness of the will” (akrasia) – thus an individual may very well know or Read more…

As we move into late December (I started writing this on 23 December 2018), all eyes in the information security and especially the industrial control system (ICS) security space typically turn to Ukraine. In 2015 and again in 2016, malicious entities – likely Russian in origin – gained access to and successfully manipulated Ukrainian electric distribution and transmission (in 2015 and 2016, respectively) to create outages within the greater Kiev/Kyiv region. The last two years Read more…

19 and 20 December 2018 will likely blend into the overall insanity of the entire year, especially when considered from a US/UK political perspective. Yet these dates, aside from being consecutive, also featured an interesting juxtaposition in the world of cybersecurity threat intelligence. On 19 December 2018, the company Area1 Security in conjunction with the New York Times (NYT) released a report blaming the People’s Republic of China (PRC) for intrusions into European Union diplomatic Read more…

On 15 November, something long-awaited (and presumably expected) came to pass in the information security community – CozyBear/APT29/CozyDuke/”The Dukes”/”Office Monkeys” were (or seemed to be) back. Subsequent reporting defined the scope of the event: a large phishing campaign on 14 November targeting multiple organizations spanning “military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies,” among other entities. The campaign itself offered a number of items that screamed attribution to CozyBear – reuse of Read more…

When reporting on cyber-attacks, articles and media frequently (if not exclusively) focus on the damage or immediate result: how many machines were impacted, how much data was compromised, or what (if any) physical consequences emerged from the event. The latter is especially the case with ICS-focused attacks, from Stuxnet to CRASHOVERRIDE to TRISIS. While this emphasis is understandable and obvious, it also obscures or ignores an important aspect that serves as either a significant secondary Read more…

The CRASHOVERRIDE event is significant for many reasons: it represents the first-known malware-directed attack on civilian power systems; and it represents a worrying escalation in operations against Ukrainian critical infrastructure. Yet for all its conceptual boldness in expanding cyber attack operations within industrial control systems (ICS), at a technical, practical level the attack in many respects exhibited many mistakes, errors, and outright failures in execution. When examining the event, those interested in ICS security should Read more…

Recently I engaged in conversation with Dale Peterson dealing with the gas explosion events in Massachusetts. For background, following the event in question there were multiple unfounded claims of a “cyber” cause behind these events followed by significant pushback from various ICS security experts. Where Dale and I enter the picture and disagree concerns reported comments from the American Gas Association (AGA) via Blake Sobczak: “…the information we have seen reported in the media is Read more…

Recently I was part of a Twitter conversation that started with excellent points on profiling and managing threats that led to some good comments on the value of “who-based” attribution. If you’ve followed this blog and my related works, you will know that I already have strong feelings on the concept of threat profiling and really enjoy discussing the subject – to the point where I’m building a two-day class on the idea applied to Read more…